policies:-name:ec2-tag-complianceresource:ec2comment:|Report on total count of non compliant instancesfilters:-or:-"tag:Owner":absent-"tag:CostCenter":absent-"tag:Project":absent

Enforce Tag Compliance

All EC2 non-AutoScaling instances that do not have the three required tags (CostCenter, Owner, Project)
will be stopped hourly after 2 days, and terminated after 5 days.

policies:-name:ec2-tag-compliance-markresource:ec2comment:|Find all (non-ASG) instances that are not conformantto tagging policies, and tag them for stoppage in 1 days.filters:-"tag:aws:autoscaling:groupName":absent-"tag:c7n_status":absent-or:-"tag:Owner":absent-"tag:CostCenter":absent-"tag:Project":absentactions:-type:mark-for-opop:stopdays:1-name:ec2-tag-compliance-unmarkresource:ec2comment:|Any instances which have previously been marked asnon compliant with tag policies, that are now compliantshould be unmarked as non-compliant.filters:-"tag:Owner":not-null-"tag:CostCenter":not-null-"tag:Project":not-null-"tag:c7n_status":not-nullactions:-unmark-start-name:ec2-tag-compliance-stopresource:ec2comment:|Stop all non autoscaling group instances previously markedfor stoppage by today's date, and schedule termination in2 days. Also verify that they continue to not meet taggingpolicies.filters:-"tag:aws:autoscaling:groupName":absent-type:marked-for-opop:stop-or:-"tag:Owner":absent-"tag:CostCenter":absent-"tag:Project":absentactions:-stop-type:mark-for-opop:terminatedays:3-name:ec2-tag-compliance-terminateresource:ec2comment:|Terminate all stopped instances marked for terminationby today's date.filters:-"tag:aws:autoscaling:groupName":absent-type:marked-for-opop:terminate-or:-"tag:Owner":absent-"tag:CostCenter":absent-"tag:Project":absentactions:-type:terminateforce:true-name:ec2-tag-compliance-nag-stopresource:ec2comment:|Stop all instances marked for termination every hourstarting 1 day before their termination.filters:-"tag:aws:autoscaling:groupName":absent-type:marked-for-opop:terminateskew:1-or:-"tag:CostCenter":absent-"tag:Owner":absent-"tag:Project":absentactions:-stop

Enforce Tag Compliance

All AutoScaling Groups that do not have the 5 required tags:
(Resource Contact, Billing Cost Center, Environment, Resource Purpose, Business Unit)
will be suspended and stopped once after 24 hours and then hourly after 2 days,
and terminated after 3 days. We are using a custom tag named c7n_tag_compliance

vars:tag-filters:&tag-compliance-filters-"tag:ResourceContact":absent-"tag:BillingCostCenter":absent-"tag:Environment":absent-"tag:ResourcePurpose":absent-"tag:BusinessUnit":absentpolicies:-name:asg-tag-compliance-mark-new-day-0resource:asgmode:type:cloudtrailevents:-source:autoscaling.amazonaws.comevent:CreateAutoScalingGroupids:requestParameters.autoScalingGroupNamedescription:|Marks newly launched non-compliant ASGs if missing any of the required tagsalso tags the owners.comments:|Your ASG and ASG instances do not have all the required tags on them and will be suspendedin 24 hours if all the required tags have not been added. If tags are not made compliantafter 3 days your ASG and instances will be deleted.filters:-"tag:c7n_tag_compliance":absent-or:*tag-compliance-filtersactions:-type:mark-for-optag:c7n_tag_complianceop:suspenddays:1-type:auto-tag-usertag:CreatorNameprincipal_id_tag:CreatorId-type:notifytemplate:default.htmlpriority_header:1subject:"ASG-MissingRequiredTags-[custodian{{account}}-{{region}}]"violation_desc:|Your ASG and related servers are missing the required tags and is now markedfor suspension if tags not added within 24 hours:action_desc:|"Actions Taken: The ASG is marked to be suspended tomorrow ifrequired tags don't get added to the ASG"to:-CloudCustodian@Company.com-event-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailerregion:us-east-1-name:asg-tag-compliance-unmarkresource:asgmode:type:periodicschedule:"rate(5minutes)"description:|Any ASG which have previously been marked asnon compliant with tag policies, that are now compliantshould be unmarked as non-compliant.comments:|Thank you for adding the required tags to your ASG! It is now compliantand has been resumed if it was in a suspended state.filters:-"tag:c7n_tag_compliance":not-null-"tag:ResourceContact":not-null-"tag:BillingCostCenter":not-null-"tag:Environment":not-null-"tag:ResourcePurpose":not-null-"tag:BusinessUnit":not-nullactions:-type:unmarkkey:"c7n_tag_compliance"-resume-type:propagate-tagstags:-"ResourceContact"-"BillingCostCenter"-"Environment"-"ResourcePurpose"-"BusinessUnit"-type:notifytemplate:default.htmlpriority_header:1subject:"ASG-AutoScalingGroupisnowcompliant-[custodian{{account}}-{{region}}]"violation_desc:|"Your ASG which was previously missing required tags is now compliant and won't be suspended:"action_desc:|"Actions Taken: The ASG has been unmarked for suspending as its now compliant with tags"to:-resource-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailerregion:us-east-1-name:asg-tag-compliance-suspend-day-1resource:asgmode:type:periodicschedule:"rate(1hour)"description:|Suspends the ASG and resizes to 0 instances as the tags are still not compliantcomments:|Your ASG has been suspended and resized to 0 instances as they do not have allthe required tags on them. Please login to AWS and add the required tags to your ASG.Starting tomorrow hourly emails and suspensions will start occuring if the ASG isstill not compliant. The following day your ASG will be deleted.filters:-or:*tag-compliance-filters-type:marked-for-optag:c7n_tag_complianceop:suspend-type:valuekey:CreatedTimeop:gtevalue_type:agevalue:1actions:-suspend-type:mark-for-optag:c7n_tag_complianceop:deletedays:2-type:notifytemplate:default.htmlpriority_header:1subject:"ASG-!!!!MissingRequiredTags!!!!-[custodian{{account}}-{{region}}]"violation_desc:|"Your ASG is missing the required tags and will be deleted in 2 days if still not compliant.Until then the ASG will be suspended every hour until tagged:"action_desc:|"Actions Taken: The ASG has been suspended as it doesn't meet tagging requirements.Please tag your ASG. ASG will be deleted in 2 days if not tagged."to:-resource-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailerregion:us-east-1-name:asg-tag-compliance-nag-stop-day-2resource:asgmode:type:periodicschedule:"rate(1hour)"description:|Suspends ASGT and stops ASG instances every hourstarting 1 day before their deletion if tags are still not compliant.filters:-or:*tag-compliance-filters-type:marked-for-optag:c7n_tag_complianceop:deleteskew:1-type:valuekey:CreatedTimeop:gtevalue_type:agevalue:2actions:-suspend-type:notifytemplate:default.htmlpriority_header:1subject:"ASG-AutoScalingGroupSuspended!!!-[custodian{{account}}-{{region}}]"violation_desc:|"Your ASG is missing the required tags and will be deleted in less than 1 day if stillnot compliant. Until then the ASG will be suspended every houruntil tagged or Deleted:"action_desc:|"Actions Taken: The ASG has been suspended and set to 0 instances as it doesn't meettagging requirements. Please tag your ASG now.ASG will be deleted in less than 1 day if not tagged."to:-resource-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailerregion:us-east-1-name:asg-tag-compliance-delete-day3resource:asgmode:type:periodicschedule:"rate(1hour)"description:|Delete all ASG marked for deletion by today's date.comments:|Your ASG has been deleted as it still did not meet the required tag compliance!filters:-or:*tag-compliance-filters-type:marked-for-optag:c7n_tag_complianceop:delete-type:valuekey:CreatedTimeop:gtevalue_type:agevalue:3actions:-type:deleteforce:true-type:notifytemplate:default.htmlpriority_header:1subject:"ASG-ASGDeletedDueToMissingTags-[custodian{{account}}-{{region}}]"violation_desc:"YourASGisstillmissingtherequiredtags:"action_desc:|"Actions Taken: The ASG has been Deleted.A new ASG will need to be launched to replace this if needed.Please make sure to tag the new ASG"to:-CloudCustodian@Company.com-resource-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailerregion:us-east-1